Early in January 2025 it seemed like TikTok was on the verge of being banned by the U.S. government. In reaction to this imminent ban, several million people in the United States signed up for a different China-based social network known in the U.S. as RedNote, and in China as Xianghongshu (小红书/ 小紅書; which translates to Little Red Book).
RedNote is an application and social network created in 2013 that currently has over 300 million users. Feature-wise, it is most comparable to Instagram and is primarily used for sharing pictures, videos, and shopping. The vast majority of its users live in China, are born after 1990, and are women. Even before the influx of new users in January, RedNote has historically had many users outside of China, primarily people from the Chinese diaspora who have friends and relatives on the network. RedNote is largely funded by two major Chinese tech corporations: Tencent and Alibaba.
When millions of U.S. based users started flocking to the application, the traditional rounds of pearl clutching and concern trolling began. Many people raised the alarm about U.S. users entrusting their data with a Chinese company, and it is implied, the Chinese Communist Party. The reaction from U.S. users was an understandable, if unfortunate, bit of privacy nihilism. People responded that they, “didn’t care if someone in China was getting their data since US companies such as Meta and Google had already stolen their data anyway.” “What is the difference,” people argued, “between Meta having my data and someone in China? How does this affect me in any way?”
Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default.
Last week, The Citizen Lab at The Munk School Of Global Affairs, University of Toronto, released a report authored by Mona Wang, Jeffrey Knockel, and Irene Poetranto which highlights three serious security issues in the RedNote app. The most concerning finding from Citizen Lab is a revelation that RedNote retrieves uploaded user content over plaintext http. This means that anyone else on your network, at your internet service provider, or organizations like the NSA, can see everything you look at and upload to RedNote. Moreover someone could intercept that request and replace it with their own media or even an exploit to install malware on your device.
In light of this report the EFF Threat Lab decided to confirm the CItizen Lab findings and do some additional privacy investigation of RedNote. We used static analysis techniques for our investigation, including manual static analysis of decompiled source code, and automated scanners including MobSF and Exodus Privacy. We only analyzed Version 8.59.5 of RedNote for Android downloaded from the website APK Pure.
EFF has independently confirmed the finding that Red Note retrieves posted content over plaintext http. Due to this lack of even basic transport layer encryption we don’t think this application is safe for anyone to use. Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default.
Citizen Lab researchers also found that users’ file contents are readable by network attackers. We were able to confirm that RedNote encrypts several sensitive files with static keys which are present in the app and the same across all installations of the app, meaning anyone who was able to retrieve those keys from a decompiled version of the app could decrypt these sensitive files for any user of the application. The Citizen Lab report also found a vulnerability where an attacker could identify the contents of any file readable by the application. This was out of scope for us to test but we find no reason to doubt this claim.
The third major finding by Citizen Lab was that RedNote transmits device metadata in a way that can be eavesdropped on by network attackers, sometimes without encryption at all, and sometimes in a way vulnerable to a machine-in-the middle attack. We can confirm that RedNote does not validate HTTPS certificates properly. Testing this vulnerability was out of scope for EFF, but we find no reason to doubt this claim.
EFF performed further analysis of the permissions and trackers requested by RedNote. Our findings indicate two other potential privacy issues with the application.
RedNote requests some very sensitive permissions, including location information, even when the app is not running in the foreground. This permission is not requested by other similar apps such as TikTok, Facebook, or Instagram.
We also found, using an online scanner for tracking software called Exodus Privacy, that RedNote is not a platform which will protect its users from U.S.-based surveillance capitalism. In addition to sharing userdata with the Chinese companies Tencent and ByteDance, it also shares user data with Facebook and Google.
RedNote contains functionality to update its own code after it’s downloaded from the Google Play store using an open source library called APK Patch. This could be used to inject malicious code into the application after it has been downloaded without such code being revealed in automated scans meant to protect against malicious applications being uploaded to official stores, like Google Play.
Due to the lack of encryption we do not consider it safe for anyone to run this app. If you are going to use RedNote, we recommend doing so with the absolute minimum set of permissions necessary for the app to function (see our guides for iPhone and Android.) At least a part of this blame falls on Google. Android needs to stop allowing apps to make unencrypted requests at all.
Due to the lack of encryption we do not consider it safe for anyone to run this app.
RedNote should immediately take steps to encrypt all traffic from their application and remove the permission for background location information.
Users should also keep in mind that RedNote is not a platform which values free speech. It’s a heavily censored application where topics such as political speech, drugs and addiction, and sexuality are more tightly controlled than similar social networks.
Since it shares data with Facebook and Google ad networks, RedNote users should also keep in mind that it’s not a platform that protects you from U.S.-based surveillance capitalism.
The willingness of users to so quickly move to RedNote also highlights the fact that people are hungry for platforms that aren’t controlled by the same few American tech oligarchs. People will happily jump to another platform even if it presents new, unknown risks; or is controlled by foreign tech oligarchs such as Tencent and Alibaba.
However, federal bans of such applications are not the correct answer. When bans are targeted at specific platforms such as TikTok, Deepseek, and RedNote rather than privacy-invasive practices such as sharing sensitive details with surveillance advertising platforms, users who cannot participate on the banned platform may still have their privacy violated when they flock to other platforms. The real solution to the potential privacy harms of apps like RedNote is to ensure (through technology, regulation, and law) that people’s sensitive information isn’t entered into the surveillance capitalist data stream in the first place.
We need a federal, comprehensive, consumer-focused privacy law. Our government is failing to address the fundamental harms of privacy-invading social media. Implementing xenophobic, free-speech infringing policy is having the unintended consequence of driving folks to platforms with even more aggressive censorship. This outcome was foreseeable. Rather than a knee-jerk reaction banning the latest perceived threat, these issues could have been avoided by addressing privacy harms at the source and enacting strong consumer-protection laws.
Figure 1. Permissions requested by RedNote
Permission
Description
android.permission.ACCESS_BACKGROUND_LOCATION
This app can access location at any time, even while the app is not in use.
android.permission.ACCESS_COARSE_LOCATION
This app can get your approximate location from location services while the app is in use. Location services for your device must be turned on for the app to get location.
android.permission.ACCESS_FINE_LOCATION
This app can get your precise location from location services while the app is in use. Location services for your device must be turned on for the app to get location. This may increase battery usage.
android.permission.ACCESS_MEDIA_LOCATION
Allows the app to read locations from your media collection.
android.permission.ACCESS_NETWORK_STATE
Allows the app to view information about network connections such as which networks exist and are connected.
android.permission.ACCESS_WIFI_STATE
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.
android.permission.AUTHENTICATE_ACCOUNTS
Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
android.permission.BLUETOOTH
Allows the app to view the configuration of the Bluetooth on the phone, and to make and accept connections with paired devices.
android.permission.BLUETOOTH_ADMIN
Allows the app to configure the local Bluetooth phone, and to discover and pair with remote devices.
android.permission.BLUETOOTH_CONNECT
Allows the app to connect to paired Bluetooth devices
android.permission.CAMERA
This app can take pictures and record videos using the camera while the app is in use.
android.permission.CHANGE_NETWORK_STATE
Allows the app to change the state of network connectivity.
android.permission.CHANGE_WIFI_STATE
Allows the app to connect to and disconnect from Wi-Fi access points and to make changes to device configuration for Wi-Fi networks.
android.permission.EXPAND_STATUS_BAR
Allows the app to expand or collapse the status bar.
android.permission.FLASHLIGHT
Allows the app to control the flashlight.
android.permission.FOREGROUND_SERVICE
Allows the app to make use of foreground services.
android.permission.FOREGROUND_SERVICE_DATA_SYNC
Allows the app to make use of foreground services with the type dataSync
android.permission.FOREGROUND_SERVICE_LOCATION
Allows the app to make use of foreground services with the type location
android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK
Allows the app to make use of foreground services with the type mediaPlayback
android.permission.FOREGROUND_SERVICE_MEDIA_PROJECTION
Allows the app to make use of foreground services with the type mediaProjection
android.permission.FOREGROUND_SERVICE_MICROPHONE
Allows the app to make use of foreground services with the type microphone
android.permission.GET_ACCOUNTS
Allows the app to get the list of accounts known by the phone. This may include any accounts created by applications you have installed.
android.permission.INTERNET
Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
android.permission.MANAGE_ACCOUNTS
Allows the app to perform operations like adding and removing accounts, and deleting their password.
android.permission.MANAGE_MEDIA_PROJECTION
Allows an application to manage media projection sessions. These sessions can provide applications the ability to capture display and audio contents. Should never be needed by normal apps.
android.permission.MODIFY_AUDIO_SETTINGS
Allows the app to modify global audio settings such as volume and which speaker is used for output.
android.permission.POST_NOTIFICATIONS
Allows the app to show notifications
android.permission.READ_CALENDAR
This app can read all calendar events stored on your phone and share or save your calendar data.
android.permission.READ_CONTACTS
Allows the app to read data about your contacts stored on your phone. Apps will also have access to the accounts on your phone that have created contacts. This may include accounts created by apps you have installed. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.
android.permission.READ_EXTERNAL_STORAGE
Allows the app to read the contents of your shared storage.
android.permission.READ_MEDIA_AUDIO
Allows the app to read audio files from your shared storage.
android.permission.READ_MEDIA_IMAGES
Allows the app to read image files from your shared storage.
android.permission.READ_MEDIA_VIDEO
Allows the app to read video files from your shared storage.
android.permission.READ_PHONE_STATE
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
android.permission.READ_SYNC_SETTINGS
Allows the app to read the sync settings for an account. For example, this can determine whether the People app is synced with an account.
android.permission.RECEIVE_BOOT_COMPLETED
Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the app to slow down the overall phone by always running.
android.permission.RECEIVE_USER_PRESENT
Unknown permission from android reference
android.permission.RECORD_AUDIO
This app can record audio using the microphone while the app is in use.
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
Allows an app to ask for permission to ignore battery optimizations for that app.
android.permission.REQUEST_INSTALL_PACKAGES
Allows an application to request installation of packages.
android.permission.SCHEDULE_EXACT_ALARM
This app can schedule work to happen at a desired time in the future. This also means that the app can run when youu2019re not actively using the device.
android.permission.SYSTEM_ALERT_WINDOW
This app can appear on top of other apps or other parts of the screen. This may interfere with normal app usage and change the way that other apps appear.
android.permission.USE_CREDENTIALS
Allows the app to request authentication tokens.
android.permission.VIBRATE
Allows the app to control the vibrator.
android.permission.WAKE_LOCK
Allows the app to prevent the phone from going to sleep.
android.permission.WRITE_CALENDAR
This app can add, remove, or change calendar events on your phone. This app can send messages that may appear to come from calendar owners, or change events without notifying their owners.
android.permission.WRITE_CLIPBOARD_SERVICE
Unknown permission from android reference
android.permission.WRITE_EXTERNAL_STORAGE
Allows the app to write the contents of your shared storage.
android.permission.WRITE_SETTINGS
Allows the app to modify the system’s settings data. Malicious apps may corrupt your system’s configuration.
android.permission.WRITE_SYNC_SETTINGS
Allows an app to modify the sync settings for an account. For example, this can be used to enable sync of the People app with an account.
cn.org.ifaa.permission.USE_IFAA_MANAGER
Unknown permission from android reference
com.android.launcher.permission.INSTALL_SHORTCUT
Allows an application to add Homescreen shortcuts without user intervention.
com.android.launcher.permission.READ_SETTINGS
Unknown permission from android reference
com.asus.msa.SupplementaryDID.ACCESS
Unknown permission from android reference
com.coloros.mcs.permission.RECIEVE_MCS_MESSAGE
Unknown permission from android reference
com.google.android.gms.permission.AD_ID
Unknown permission from android reference
com.hihonor.push.permission.READ_PUSH_NOTIFICATION_INFO
Unknown permission from android reference
com.hihonor.security.permission.ACCESS_THREAT_DETECTION
Unknown permission from android reference
com.huawei.android.launcher.permission.CHANGE_BADGE
Unknown permission from android reference
com.huawei.android.launcher.permission.READ_SETTINGS
Unknown permission from android reference
com.huawei.android.launcher.permission.WRITE_SETTINGS
Unknown permission from android reference
com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA
Unknown permission from android reference
com.huawei.meetime.CAAS_SHARE_SERVICE
Unknown permission from android reference
com.meizu.c2dm.permission.RECEIVE
Unknown permission from android reference
com.meizu.flyme.push.permission.RECEIVE
Unknown permission from android reference
com.miui.home.launcher.permission.INSTALL_WIDGET
Unknown permission from android reference
com.open.gallery.smart.Provider
Unknown permission from android reference
com.oplus.metis.factdata.permission.DATABASE
Unknown permission from android reference
com.oplus.permission.safe.AI_APP
Unknown permission from android reference
com.vivo.identifier.permission.OAID_STATE_DIALOG
Unknown permission from android reference
com.vivo.notification.permission.BADGE_ICON
Unknown permission from android reference
com.xiaomi.dist.permission.ACCESS_APP_HANDOFF
Unknown permission from android reference
com.xiaomi.dist.permission.ACCESS_APP_META
Unknown permission from android reference
com.xiaomi.security.permission.ACCESS_XSOF
Unknown permission from android reference
com.xingin.xhs.permission.C2D_MESSAGE
Unknown permission from android reference
com.xingin.xhs.permission.JOPERATE_MESSAGE
Unknown permission from android reference
com.xingin.xhs.permission.JPUSH_MESSAGE
Unknown permission from android reference
com.xingin.xhs.permission.MIPUSH_RECEIVE
Unknown permission from android reference
com.xingin.xhs.permission.PROCESS_PUSH_MSG
Unknown permission from android reference
com.xingin.xhs.permission.PUSH_PROVIDER
Unknown permission from android reference
com.xingin.xhs.push.permission.MESSAGE
Unknown permission from android reference
freemme.permission.msa
Unknown permission from android reference
freemme.permission.msa.SECURITY_ACCESS
Unknown permission from android reference
getui.permission.GetuiService.com.xingin.xhs
Unknown permission from android reference
ohos.permission.ACCESS_SEARCH_SERVICE
Unknown permission from android reference
oplus.permission.settings.LAUNCH_FOR_EXPORT
Unknown permission from android reference